You can conquer the world of domains, registering the trendiest new gTLDs, premium ccTLDs and the most brandable .com domains. But, what is a powerful domain without proper security? A website without encrypted communication won’t gain user trust. Furthermore, browsers might no longer show your website and ranking in search engine results will be negatively impacted. On top of that, there is so much information that needs to be kept secret during digital communication. This is why encryption is now an absolute must in the digital space. It prevents third parties from reading and intercepting any data transferred between users and websites.
To learn more about this process of encoding information, we spoke to Dean Coclin. As Senior Director of Business Development at DigiCert, he is responsible for developing the company's strategic alliances and representing it in the industry consortia. Furthermore, he is the current CA//Browser Forum Chair and is chairing the ASC X9 PKI Study Group as well. A true expert with over 30 years of experience in the field of software, security and telecommunications.
Don’t miss this interview in our series It’s all about domains in which Dean deciphers the mechanisms behind encryption relevant for domain owners!
Why do we want to encrypt traffic between domains?
Encrypting communications between browsers and servers or between servers allows data to be kept secret from anyone watching the traffic. Without encryption, an eavesdropper would be able to read and steal private data.
More than 92% of web traffic is now encrypted, but that statistic was below 50% several years ago. At that time, it was pretty easy for someone to go to a coffee shop with public Wi-Fi and "listen in" on all the unencrypted traffic traversing the network. Once there, they would be able to see user names, passwords and other private data. Now, this threat has been highly reduced since it is unlikely that the traffic is unencrypted.
What are the standards for encrypting traffic between domains?
For years, the internet has relied on public-key cryptography to secure traffic. The standard is known as TLS (Transport Layer Security). SSL (Secure Sockets Layer) was the previous standard and was developed by Netscape in the mid '90s. It was upgraded to TLS years later. This cryptography uses RSA (Rivest-Shamir-Adleman) and ECC (Elliptic-Curve Cryptography) based public key encryption protocols along with AES (Advanced Encryption Standard) secret-key encryption to scramble data and make it unreadable, except to the intended recipient. This standard is not only used for web traffic, but also for traffic traversing private networks.
How can you make sure your visitors get to the website they were looking for? One way to provide a higher level of security and trust is by deploying DNSSEC.
How does encryption work?
In general, encryption works by taking plain text and converting it to ciphertext using a mathematical key. The ciphertext is indecipherable by anyone viewing the data without the key. The recipient uses the key to decrypt the data and convert it back to plain text.
One of the critical points about encryption is the key strength. It must be of sufficient length to thwart any potential attacks that might make cracking the key feasible. As computing power has grown, key lengths have also increased. The current minimum key size for RSA encryption is 2048 bit keys and 256 bits for AES.
We are now facing a threat from potential quantum computers. If a quantum computer with a sufficient number of qubits were developed, it could threaten to break RSA and ECC encryption. For this reason, the industry is looking at "quantum-safe" algorithms that would resist attacks from quantum computers. Although this threat is probably years away, the time to get prepared is now!
What can we use to encrypt traffic between domains?
As mentioned previously, RSA and ECC public key cryptography are key components of internet encryption. However, these are used to establish cryptographic sessions, after which a secret key (using AES) is exchanged. This secret key is used to encrypt the traffic to the recipient. Each device must have the appropriate software to perform the encryption/decryption. Browsers contain these protocols as part of their service. Many other software products also include these cryptographic libraries to perform this function.
Does encryption secure users' privacy as well?
Encryption secures user's privacy in two ways. Firstly, it scrambles data in transit, making it unreadable to eavesdroppers. In this way, credit card numbers, passwords and other private data is kept secret. And secondly, it allows users' browsing sessions to remain private, meaning eavesdroppers can't determine which sites users visit.
Is encryption sufficient? What else can we do?
While encryption provides privacy of data, authentication is also required. At the end of the day, what good is encryption if we don't know who we are encrypting to? So, it's essential that both sides mutually authenticate using public-key cryptography. Visitors need to be assured that the website they are visiting is the actual site they believe to be on. So it follows that identity information, contained in some TLS certificates, should be easily accessible to internet users.
We should always have the three pillars of cybersecurity in mind, namely Confidentiality, Integrity and Availability.
Encryption provides confidentiality. When we digitally sign something, we get integrity because if the receiver cannot verify the signature, we know that the message has been changed. Lastly, we want to ensure that the services we seek are available, whether they be certificate revocation services, certificate requesting services or renewal services. If these services are down, then this will impact users.
Can a multi-domain certificate be advantageous?
Yes, they can. Websites use SSL/TLS certificates to authenticate the website and provide the ability to have an encrypted session between the browser and server. The website server can have a multi-domain certificate that can protect the base domain and an additional domain or domains. This means there are fewer certificates to manage and will likely provide cost savings to the certificate buyer. DigiCert provides all types of certifications for authentication and encryption, including wildcard and multi-domain certificates.